Some history: I’ve been using Linux since 1998, when a friend of mine showed me RedHat 5.0. I was instantly hooked, and over the years I’ve spent a lot of time using various flavors of Linux and other Open Source tools. For the past 6 years or so, it’s been my job to administer Linux systems. I’ve used various distributions for this task: RedHat, Fedora, Debian, and Gentoo.
When I read Why Gentoo Shouldn’t be on Your Server, I felt Gentoo was getting a bad rap. I’m currently using Gentoo on a number of production servers for a fairly heavily-used website. Gentoo has simplified my administration tasks greatly, and allowed me the flexibility I need to build the best possible set of systems to handle the job at hand.
My current setup has 10 identical machines running Gentoo. One of them I’ve designated as my ‘build server.’ It handles the actual building of new packages, mitigating to a great deal the time spent updating software. My other 2 Gentoo-based machines have rather different configurations (one is even a sparc), so they have to build their own sets. All of these machines have been running Gentoo for over a year.
For any build process, I’ve found screen to be indispensable. I’ll start up (or reconnect) a screen session, then start the emerge process. Usually I’ll add ‘nice -n19′ to the beginning of the command to minimize the impact of the build process. Every time I update, I ‘emerge -uDav world’. This allows me to review upcoming changes. The only reason I do this is to see if any php webapp updates are coming in - I need to handle the upgrades for those by hand still.
Updating Configuration Files
Once the build is done, etc-update lets me view the list of updates. I never bother reading through changes to init scripts (/etc/init.d/*), as I trust the distribution enough to handle those. In fact, I trust the distribution to do the right thing 90% of the time, and often I end up just entering ‘-5′ to let the update system auto-merge all the latest changes. This is what other distributions do most of the time behind your back, anyway.
It’s only for those few configuration files that I have changed where I need to take a look and handle things manually. For those, I’ll look at the diff first (it’s what comes up when you select the update). Most of the time here, I’ll see the update is trivial and either let it apply (’1′) or ignore it (’2′). Sometimes I’ll need to edit the two together - choosing bits and pieces from each to ensure the proper result is achieved. Here, etc-update uses a very intuitive merging tool (’3′). For each change, you can choose which version to use. The old file is on the left, the update is on the right. To use the left hand’s version, you just enter ‘l’. For the right’s version, ‘r’. Only about 1% of the time do I need to do something else, and then I’ll enter ‘ed’ to edit both versions together. All in all, this makes handling configuration updates very simple and ensures the distribution doesn’t do anything it shouldn’t behind your back.
One of the previous article’s main gripes was about profile updates. Let’s reiterate: Gentoo is a source based distribution. In order to apply security updates, you need to have up-to-date dependencies. In order to have up-to-date dependencies, you need to have a capable base system. These profile updates ensure just that—that you have an updated base system. I’ve found profile updates to be painless. All I do is update the /etc/make.profile link, emerge -e system, then emerge -e world. Again, thanks to the use of nice and screen, I don’t even notice the compile time spent here. My non-build servers spend no time at all. I never have had to rebuild one of my machines from scratch. If I ever do, I’ll wonder what I did to break Gentoo’s well-designed build system.
In short, Gentoo is one of the most well thought out distributions I’ve ever used. The irony is that I don’t use it on my desktop! I use Ubuntu, mostly because I don’t need the flexibility Gentoo provides and I don’t want to use noticeable processor time building new packages.
Gentoo, through portage, provides a robust, friendly, and dependable build system. It is also important not to forget one of Gentoo’s driving philosophies: If you don’t need the package on your system, don’t install it. Use those USE flags to reduce the number of unneeded dependences! If you only build what you need, you will spend less time building. When you run ‘emerge -uD world’, you know that the updates you’re getting are updates you need. Unlike under most distributions, My servers run with a minimalist list of installed packages. This saves me headaches from security issues, and also decreases the disk footprint of the OS, allowing me to use that capacity for business needs instead.
I’ve occasionally questioned my use of Gentoo on my servers, but each time I come back to Portage. No other distribution lets me control with such a fine grain what goes on my system. No other distribution offers the wealth of packages Gentoo does. Other distributions might be easier to administer, day to day, but they do this by hiding from you things that I actually use. If it’s your job to administer servers, why not take the time to learn about what’s happening? You’ll end up being a lot less paranoid, and a much more capable admin. You’ll even end up saving yourself a lot of time.